For HIPS - can you explain "Install Mode"??

I am presently trialing TWO classical HIPS programs. One of them has an Install Mode. The other does not.

Hopefully, your comments -- made in response to this thread -- will enable me to decide whether or not an Install Mode is "essential" or merely "nice to have. Thus, any and all comments will be greatly appreciated.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A- Background:

1- Several classical HIPS programs have an "Install Mode" for use when installing a new program. The ostensible purpose of Install Mode is to reduce Alert pop-ups that are made by the HIPS during the time when user is installing a new/unknown program.

(NOTE: I *assume* that, during the time the HIPS is in Install Mode, the HIPS actually DOES monitor for extremely dangerous actions during installation. However, I do not know WHICH (if any) actions the HIPS program is actually monitoring. AFAIK, Install Mode might simply put the HIPS into a sort of "ignore everything" state.

==>Can anyone make a "guess-estimate" as to which behaviors (if any) a HIPS programs will actually monitor while in "Install Mode"?)

2- Most classical HIPS programs have a Learning Mode. When the HIPS is in this mode, it will accept any and all actions by any process -- under the assumption that all processes used while in Learning Mode are FULLY trusted and *safe*.

3- Examples of HIPS with both an Install Mode AND a Learning Mode: (a) Real-time Defender (RTD) and (b) Defense+ (D+).

4- Examples of HIPS which lack Install Mode but which DO have a Learning Mode: (a) Malware Defender (MD) and (b) Safe'n'Secure (SnS).

B- Goal: I want to set my classical HIPS program in such a way as to:

1- Keep Alert pop-ups by my HIPS to a minimum while installing an unknown program

AND (at the same time)

2- Maintain a reasonable degree of assurance that my HIPS program will alert me if the unknown program manifests significant indicators that it might be malware.

C- Question: What are the main differences-in-protection between the following alternative ways of having a HIPS program monitor installation of an unknown program?

(1) Put the HIPS program into Install Mode (if it has one)

VERSUS

(b) Disable the HIPS program altogether while installing the unknown program

VERSUS

(c) Put the HIPS program into Learning Mode (if it lacks Install Mode)

VERSUS

(d) Leave the HIPS in full-on Normal Mode & live with the fact that this alternative will cause me to have to deal with a dozen pop-ups or more.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Again -- any & all comments will be read carefully and greatly appreciated.

Aloha... Bill Bellgamin

 

To address one part of your question, in all honesty I don't know if install mode allows the installer to perform all actions it wants to, or allows most all actions while watching for a few that are almost certainly aberrant. That's a good question, maybe the answer could be found by reading through the manual of the application, asking this same question on the forum of the program in question (if existant), or possibly by mailing the developer. It could be and probably is different with each application. I'd like to learn more on this myself.

 

I don't know the answer to your question, but if you use a behavioural blocker such as ThreatFire, PRSC, Mamutu, etc you'll definitely

 

From what I understand, Install mode is basically for notification suppression. When installing any app, it will make many changes/additions to the system. The logic is, if user trusts the installer, he can move to installer mode where the notifications will be suppressed.

Now each HIPS defers a bit. Some totally don't show any notifications at all, while some while only show HIGH PRIORITY notifications where the program may be showing undeniable malware-like behavior. Regardless, most HIPS will log events even in install mode. So if you have any suspicions, you can look up the event log.


Hope I could answer the query.

 

Endorse this, only my experience is that install mode also means that no logs are created. Most HIPS I used, logged only the user decisions, instead of intrusions, so install mode means no pop-ups, no user decisions, no log.

EQS is an exception, it has a learning mode and a normal mode, I created an install mode in which everything was allowed and logged.

ThreatFire has decent logging independant of the user decision (user answer only determines in which tab they can be seen)

Spyberus beta is interesting when you have setup a power user in XP Pro or use Surun with XP Home. It notifies on dangerous actions (driver installation, loading, hook setting, memory injection, etc) and keeps a log to undo the changes.

 

The only HIPS I've used is SSM, free and paid versions. I've no idea how much the behavior of "install mode" varies from one brand to another.
The help file for SSM 2.4.0.622 has the following regarding the "install mode."

SSM does have an option for "extended logging" when in install mode.

IMO, using the install mode is a risk unless you know the app you're installing and know for certain that your copy is clean. I've only used it a couple of times and didn't like it. When an installer starts Regsvr32.exe to register DLLs, you won't know it in install mode. While you can check the logs if you have extended logging enabled, it's all "after the fact". If the installer was compromised or bundled with malware, by the time you find out, the damage is done. Extended logging won't be much consolation if the installer or new file contained a rootkit. There are very few times when your system is more vulnerable than it is when software is being installed. IMO, this is when you want your security apps to watch everything, not giving a free pass to an app, update, etc that you haven't run before.

The only way I'd use an install mode is with an installer I already know and trust. IMO, that trust should be limited to files you're storing locally where you know they can't be compromised, such as copies kept on a CD. I would not extend that trust to any downloaded file, even if you know the company or the application. File servers can be hacked. You can't be completely sure, so why lower your defenses, especially when all it will cost you is a bit more time and a few more prompts to answer. Even if you could guarantee that the file you're about to install it clean, you still can't be sure that the changes that new updated version makes to your system won't cause a problem with something else. You have a better chance of preventing this kind of problem when you can monitor the activities in real time, instead of using a log to try to undo the changes. I'd also avoid the install mode when installing patches and security updates. Running them without restriction can get you an updated version of WGA or some "improved" DRM without asking your approval.

 

Based on what I have seen here, it seems that Install Mode is NOT very safe.

Perhaps the best suggestion is the one by poster "Someone" -- to run Mamutu during install (with my classic HIPS temporarily disabled).

THANKS to everyone for your excellent comments!

Aloha,
W.P.T. (Bill) Bellgamin
><)))°>

 

IMO I think the whole point of install mode is that what your installing you believe to be safe or learning mode for the hips to learn of what each program currently on board behaves or how it is used be the user with out question.There after setting the hips back to normal would question any changes or modifications by the user or other processes,So in a sense doesn't a classic hips of allow or deny good or bad lies totally in the hands of the user because No behavior back ground heuristics and blacklisted or am I wrong.

 

I will answer the only part of your comment that I *think* I understand.

Namely, as I understand it, if a malware is installed while my HIPS is in Install Mode, it is NOT likely that my HIPS will later spot the malware before the malware has time to do some damage.

In other words, use of Install Mode will IMPAIR the protectiveness of my HIPS when installing unknown programs.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Further, I now feel that a HIPS which includes Install Mode might be lulling users into a false sense of security when using that mode.

 

Good points bill that makes sense thanks

 

I use INSTALL MODE on my Vista Customize transformations on XP Pro just to be sure i can follow it's progression. Same with other safe apps but when i harbor doubts about new code.

Otherwise, i rarely ever use it for anything else.

EASTER

 

That is why I initiallysetup all our computers with a policy HIPS (or policy sandbox) and a behavior blocker (ended up with GW Pro, DW and TF Pro, Mamutu and PRSC lisences).

But even behavior blockers launch to many pop-ups (hook setting, driver install/load etc), so I fell back to keeping images (1 actual and 2 backups) and data back ups (1 online actial and 2 time stamped back ups).

Point is when you de-stabelize your setup you open the gate's of your securiy defense.

Windows steady state etc provide solutions for it, but slow down systems to much. Spyberus offers lighter installation control and less slow down. I am playing with it at the moment.

regards

 

IMO, the extra prompts and alerts caused by an install, update or patch are a small price to pay. In addition to monitoring the install process, you also can gain some control over it that the installer might not give you. For example, you might want a particular piece of software but don't want it to be autostarted. With a HIPS that monitors the registry, services and autostart folders, you have that option. You might want a particular application but not another one that's bundled with it. You may be able to allow the one installer to run and block the other one.

I also keep the firewall running during an install, update, patching, etc. Installers that try to call home have caused me to terminate more installs than anything else has. I don't remember specifically which windows update it was, but one of them wanted to terminate the firewall on a friends XP box. I had SSM set to protect the firewall process at the time. It gets hard to trust an OS that wants to shut down your security apps without any warning.

While HIPS may be good for monitoring the activities that take place during an install or update, they're not designed to be install monitors. If it's important to you to know everything that an installer or update changes, a good install monitor like Inctrl5 does a much more thorough job, especially with added files, file association changes, and other registry changes. The 2 complement each other quite well. Even with SSM, the firewall, and other security apps running, and an install monitor recording the changes, I still make a system backup first. If for some reason I decide not to keep the software or update, it's easy to get back to where I started. Definitely beats undoing registry changes manually for a big install.

 

I currently use EQS, Online-Armor and Defensewall. EQS does not have an Install mode and I find that I have to disable EQS protection whenever installing new software. The amount of pop-up's produced is just too much. I could setup EQS to allow everything and log changes. However, I already use Total Install, FileChangeAlarm, MJ Registry Watcher, Tiny Watcher, regprot, FingerPrint and What's Running. They give me a very good record of what has changed during the installation.

Online-Armor does have an Install Mode but I am not sure whether this just inhibit's all pop-up's or offers some limited form of protection during installation (I'll post a question on OA's forum). If I forget to check the Install Mode, the number of pop-up's again is intolerable and I end up turning off the Program Guard.

I have also used Comodo's Defense+ and I have to say the Install mode I find very useful. I have always assumed that everything is allowed when in this mode because I get no pop-up's at all. Something that's very unusual with D+.

With Defensewall, I always change the executable file from Untrusted to Trusted before installation. If I do this with DW, I might aswell do it with all my other HIP's.

I now take the view that if the program has been scanned by AntiVir, SAS and MBAM, then I treat it as trusted and install it with the knowledge that I have a record of changes it makes. If it turns out to be malware or upsets my system, I return to a previous FD-ISR snapshot.

I rely more heavily on signature-based programs and back-up strategy for my protection when installating new software. I am not sure what my HIP's are monitoring in the Install mode so I assume they are monitoring nothing and look elsewhere for protection.

 

With SSM, Install Mode allows the program to run any child processes and make any registry changes. Driver installation and physical memory access should still trigger an alert as malware with these permissions could disable SSM itself (or any other security software).

Without Install Mode, a setup program could potentially trigger dozens of alerts if it is making significant Registry changes so proper use of this feature is necessary in preventing "prompt paralysis". However as Noone_particular points out, even legitimate software may make system-wide changes that users find objectionable (.NET Framework or DirectX updates, DRM installation). As such, the combination of Install Mode with an appropriate uninstaller (like Total Uninstall) which can track and reverse changes, is likely the best balance for most.

 

Good questions Bellgamin. I'm familiar with Defense+ so I will comment on that.

Installation VS disable; Installation mode is more secure then disabling because it remembers the pre existing rules... But yes there isn't much difference, and there isnt much to gain unless your rules consisted of blocked apps, Which would be allowed in disabled mode

Course if you were installing an unknown app.. You'd be best to run it under safe mode or paranoid mode if you want to see every detail of what the app is doing.

Kyle

 

Mainly I use SSM and when I install it, I never use neither the learning mode ( so I do with whichever HIPS I use, if it's possible ); Bellgamin, I understand your goal, may be it's different from mine, I don't know, and I say only as contribution to the 3D: for me, the best - the only one - way to use an HIPS is to install it not in learning mode, reboot the pc and set every application begins to run. And when it's possible, I prefer to install a new sw not in learning mode, also if all these alerts are boring.

 

Does anyone know whether, Netchina S3 has an "Install mode" ?

BTW, although, I have not tried Malware Defender yet, it is my understanding that Malware Defender has an option on alert to add to an "Installers and updaters" group, so if the choice to add to the "Installers and updaters" group was choosen, wouldn't this be equivalant to an "install mode" for the duration of the executing pgm being installed and effectively suppress further alert prompts for the application being installed ? ... If I am correct about this, then wouldn't this option of Maalware Defender be even better than an install mode where you might forget to switch back to normal mode ?

 

Tested OA's Install Mode and found that all actions of the installer are permitted with the exception of Autoruns modification and Hard Disk Access.

Create executable - Allowed
Modify executable - Allowed
Start another process - Allowed
Change memory access protection - Allowed
Resume thread in another process - Allowed
Suspend process/thread - Allowed
Autorun warning - WARNING ACTIVE
Access hard disk - WARNING ACTIVE
Physical memory access - Allowed
Set global hooks - Allowed

The response to the question raised on OA's forum is here.

http://support.tallemu.com/vbforum/showthread.php?t=5517

Unfortunately nobody could offer any further details about Install Mode.

 

Your understanding is correct -- MD does have option to add to Installers & Updater group.

If the program I am installing IS malware. Then...

1- If I use "Install Mode" (for Online Armor, or System Safety Monitor, etc) or "Installers & updaters group" (for Malware Defender) then I won't get pop-ups BUT I will NOT be alerted that the program is malware and I will be infected.

2- REASON: When using "Install Mode" or "Installers & updaters group" the program is (in effect) TRUSTED, even if the program is malware.

3- BOTTOM LINE: Avoiding pop-ups when installing an unknown program INCREASES my risk of not spotting malware before it infects my computer.

 

For me, an install mode is an unnecessary convenience that weakens your defenses when your system is at its most vulnerable, the installing or executing of new/unknown code. The average user doesn't spend that much time installing and updating, so it's not like it saves you that much time. If a user dislikes prompts and alerts badly enough to lower their defenses during an install or does so much installing that answering prompts does take that much time, I'd have to ask that user why they installed HIPS in the first place. IMO, an app like SSM can best be described as anti-change software. It prevents changes to your system. It makes no sense to lock your system down against unwanted changes, then allow an installer or updater to change whatever it wants without monitoring it at the very least, and preferably having real time control over it. You'd think users would have seen enough junk bundled into installers, even with apps that were always clean before, or even slipped into "critical updates" at times, that they'd stop being so trusting of installers.

IMO, an install mode should only be used with installers, updates, patches etc that you have on file, copies you've used before and know are clean and compatible. For me, that would be offline system building or restoring only.